diff --git a/awx/main/access.py b/awx/main/access.py index b1e7c2fd7d..40eb3db2e1 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1420,7 +1420,10 @@ class NotificationAccess(BaseAccess): qs = self.model.objects.all() if self.user.is_superuser or self.user.is_system_auditor: return qs - return self.model.objects.filter(notification_template__organization__in=Organization.accessible_objects(self.user, 'admin_role')) + return self.model.objects.filter( + Q(notification_template__organization__in=self.user.admin_of_organizations) | + Q(notification_template__organization__in=self.user.auditor_of_organizations) + ).distinct() def can_read(self, obj): return self.user.can_access(NotificationTemplate, 'read', obj.notification_template) diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py index 3c335a2840..f970adc2e7 100644 --- a/awx/main/tests/functional/conftest.py +++ b/awx/main/tests/functional/conftest.py @@ -38,7 +38,10 @@ from awx.main.models.organization import ( Team, ) -from awx.main.models.notifications import NotificationTemplate +from awx.main.models.notifications import ( + NotificationTemplate, + Notification +) ''' Disable all django model signals. @@ -193,6 +196,15 @@ def notification_template(organization): notification_configuration=dict(url="http://localhost", headers={"Test": "Header"})) +@pytest.fixture +def notification(notification_template): + return Notification.objects.create(notification_template=notification_template, + status='successful', + notifications_sent=1, + notification_type='email', + recipients='admin@redhat.com', + subject='email subject') + @pytest.fixture def job_with_secret_key(job_with_secret_key_factory): return job_with_secret_key_factory(persisted=True) diff --git a/awx/main/tests/functional/test_rbac_notifications.py b/awx/main/tests/functional/test_rbac_notifications.py index cafef084e6..a9a5e7c5f9 100644 --- a/awx/main/tests/functional/test_rbac_notifications.py +++ b/awx/main/tests/functional/test_rbac_notifications.py @@ -1,6 +1,9 @@ import pytest -from awx.main.access import NotificationTemplateAccess +from awx.main.access import ( + NotificationTemplateAccess, + NotificationAccess +) @pytest.mark.django_db def test_notification_template_get_queryset_orgmember(notification_template, user): @@ -86,3 +89,31 @@ def test_notificaiton_template_orphan_access_org_admin(notification_template, or notification_template.organization = None access = NotificationTemplateAccess(org_admin) assert not access.can_change(notification_template, {'organization': organization.id}) + +@pytest.mark.django_db +def test_notification_access_get_queryset_org_admin(notification, org_admin): + access = NotificationAccess(org_admin) + assert access.get_queryset().count() == 1 + +@pytest.mark.django_db +def test_notification_access_get_queryset_org_auditor(notification, org_auditor): + access = NotificationAccess(org_auditor) + assert access.get_queryset().count() == 1 + +@pytest.mark.django_db +def test_notification_access_system_admin(notification, admin): + access = NotificationAccess(admin) + assert access.can_read(notification) + assert access.can_delete(notification) + +@pytest.mark.django_db +def test_notification_access_org_admin(notification, org_admin): + access = NotificationAccess(org_admin) + assert access.can_read(notification) + assert access.can_delete(notification) + +@pytest.mark.django_db +def test_notification_access_org_auditor(notification, org_auditor): + access = NotificationAccess(org_auditor) + assert access.can_read(notification) + assert not access.can_delete(notification)